Title: Topics In Information Security
1Topics In Information Security
- Instant Ciphertext-Only Cryptanalysis of GSM
Encrypted Communication
Elad Barkan Eli Biham Nathan Keller
Presented by Idan Sheetrit idanshee_at_post.tau.ac.i
l
2Introduction
- GSM is the most widely used cellular system in
the world (over a billion customers). - Based on second generation cellular technology
(offer digitalized voice). - GSM was the first cellular system which seriously
considered security threats. - GSM was influenced by the political atmosphere
around cryptology at the 1980s (did not allow
civilians to use strong cryptography). - Protect only the air interface.
3GSM structure
MSC
BSC
ISDN/ PSTN
Modem/ TA
Internet
BSC - Base Station Controller BTS - Base
Transceiver Station MSC - Mobile Switching
Center AuC - Authentication Centre TA - Terminal
Adapter
4GSM Security
Mobile Station
Radio Link
GSM Operator
SIM
Ki
Ki
- Ki pre-shared secret
- A3,A8 One way functions.
- A5/0 no encryption. A5/1 export restricted.
A5/2 for export (weaker)
5Description of A5/2
The key setup of A5/2
6Description of A5/2 (2)
- First initialize A5/2 with Kc and f.
- Run A5/2 for 99 cycles
- Run A5/2 for 228 cycles and use the output as
keystream. - First 114 bits is used as a keystream to encrypt
the downlink and the second half of 114 bits is
used for the uplink.
7Previous work
- A5/1 and A5/2 was reversed engineered
- Several Known-plaintext attacks were published
- The best attack requires only four plaintext data
frames.
8Ciphertext-Only Attack on A5/2
- GSM must use error correction to withstand
reception errors. - During transmission a message is first subjected
to an error-correction code, Then encrypted. - Structured redundancy in the message, Can be used
for ciphertext-only attack.
9Ciphertext-Only Attack on A5/2
- Coding and interleaving operations can be modeled
as a multipication of the message by constant
matrix. - P - 184 bit message
- G constant 456x184 matrix over GF(2)
- g constant vector
- M (G P) xor g (divided into 4 data frames)
- G is binary matrix so there are 456-184272
equations that describe the kernel of the inverse
transformation. - H the matrix that describes these 272 equations
i.e. H(M xor g) 0
10Ciphertext-Only Attack on A5/2
- C M xor k (k is the keystream)
- H(C xor g) H(M xor k xor g) H(M xor g)
xor Hk 0 xor Hk Hk - C known, so we have linear equations over the
bits of k.
11GSM Service Request and Authentication Protocol
Service Req
Ack (Use A5/1)
Authentication Data Request
RAND, XRES, Kc
AUTHREQ(RAND)
SRES XRES?
AUTHREQ(SRES)
Cipher
12Class-Mark Attack
- An attacker can change the class-mark
information that the phone sends to the network.
Network
Service Req (A5/1)
Service Req (A5/2)
Use A5/2
- The signal of the attacker must override the
phone signal or by man-in-the-middle attack.
13Recovering Kc of Past or Future Conversations
- The protocol doesnt provide any key separation
(all encryption algorithms use the same key) - An attacker can use a fake base station and
instruct the phone to use A5/2 and then easily
resolve Kc (Future Conversation Attack).
- If an attacker recorded the conversation he can
sends the recorded RAND to the phone.
RAND
- If the attacker has access to the sim he can
easily get Kc.
RES
- If he doesnt he can instruct the phone to use
A5/2.
Use A5/2
Cipher (A5/2)
14Man in the middle attack
RAND
RAND
RES
CIPHMODCMDA5/2
CIPHMODCMD (Encrypted)
RES
CIPHMODCMDA5/1
CIPHMODCMD (Encrypted)
15Attacks Scenarios
- Call Wire-Tapping
- Call Hijacking
- Alerting of Data Messages (SMS)
- Call Theft Dynamic Cloning
16Protocol Weakness
- Authentication protocol can execute at the
beginning of the call. The phone cannot ask for
authentication. In case that there is no
authentication Kc stays as in previous
conversation
- The network chooses the encryption algorithm (the
phone only reports the ciphers it support)
- The class-mark message is not protected.
- There is no mechanism that authenticates the
network to the phone
- No key separation between the algorithms or
method of communication
17Acquire a Specific Victim
- GSM includes a mechanism that is intended to
provide protection on the identity of the mobile
phone. - Each subscriber is allocated a Temporary Mobile
Subscriber Identity (TMSI) over an encrypted link - The TMSI can be reallocated every once in a while
in particular when there is a change in the
location. - TMSI used to page on incoming calls and for
identification during un-encrypted parts. - The fixed identification of the subscriber is its
International Mobile Subscriber Identity (IMSI) - If both TMSI and IMSI are unknown to the attacker
he may forced to listen in to all the
conversations in the area.
18Acquire a Specific Victim (2)
- The attacker has the victim's phone number and
wish to associate it with the subscriber's IMSI
or TMSI. - Solutions
- Can call the victim, and monitor all the calls
(recognize his own caller ID). - Send a malformed SMS message.
- When performing an active attack, the attacker
needs to lure the mobile into his own fake base
station.
19GSM-Security
- Cryptographic methods secret, not well examined
- Symmetric procedure
- consequence storage of user special secret keys
with net operators required - No end-to-end encryption
- Key generation and administration not controlled
by the participants - Same key uses for A5/1 and A5/2.
- No mutual authentication intended
- consequence Attacker can pretend a GSM-Net
- No end-to-end authentication
- As a result of the initial publication of this
paper GSM security group are working to remove
A5/2 from the handsets.
20Thank you
21Homework
- Define in one line the following GSM, UMTS,
DECT, TETRA, ERMES. - Why using a SIM helps security?
- How would you attack someones GSM mobile phone?
describe the system and the steps on the attack. - Describe at least 3 known weaknesses of GSM and
how you can fix them if you could change the
standard or the system. - Bonus Describe a new attack (which isn't
mentioned in the paper) on GSM network.
E-Mail idanshee_at_post.tau.ac.il
22GSM structure
Fixed network
Switching Subsystems
Radio Subsystems
OMC
Data networks
VLR
HLR
AuC
EIR
(G)MSC
BTS
BSC
PSTN/ ISDN
BTS
BSS
MS
MS Mobile Station (G)MSC (Gateway) Mobile
Switching Centre OMC Operation and Maintenance
Centre PSTN Public Switched Telephone
Network VLR Visitor Location Register ISDN Integra
ted Services Digital Network
AuC Authentication Centre BSS Base Station
Subsystem BSC Base Station Controller BTS Base
Transceiver Station EIR Equipment Identity
Register HLR Home Location Register
23GSM protocols, incoming call
(4)
(3)
VLR
HLR
BSS
(8)
(6)
(7)
(4)
(2)
(10)
(11)
(8)
(8)
(5)
(1)
(9)
(9)
MSC
GMSC
BSS
BSS
(12)
(12)
(8)
BSS
(1) Call from fixed network was switched via GMSC
(2) GMSC finds out HLR from phone number and
transmits need of conversation (3) HLR checks
whether participant for a corresponding service
is authorized and asks for MSRN at the
responsible VLR (4) MSRN will be returned to
GMSC, can now contact responsible MSC
24GSM protocols, incoming call
(4)
(3)
VLR
HLR
BSS
(8)
(6)
(7)
(4)
(2)
(10)
(11)
(8)
(8)
(5)
(1)
(9)
(9)
MSC
GMSC
BSS
BSS
(12)
(12)
(8)
BSS
(5) GMSC transmits call to current MSC (6) ask
for the state of the mobile station (7)
Information whether end terminal is active (8)
Call to all cells of the Location Area (LA) (9)
Answer from end terminal (10 - 12) security check
and connection construction
25GSM protocols, outgoing call
(1) Demand on connection (2) Transfer by
BSS (3-4) Control for authorization (5) Switching
of the call demand to fixed net
26Protocol